Fake PayPal Two-Factor Authentication Reset Scam
Fraudsters contact PayPal users by phone or text claiming their two-factor authentication needs to be reset or verified due to a security incident, tricking them into sharing the OTP that PayPal just sent — which the attacker immediately uses to access the account.
Part of: Fake Two-Factor Authentication Scams
Last reviewed: 7 June 2026
PayPal's two-factor authentication (2FA) is a core layer of account protection that sends a one-time code to the user's registered phone when a login is attempted from a new device. Scammers who already possess a victim's PayPal email and password — obtained from a data breach or earlier phishing attack — need only this one-time code to complete their takeover.
The attack is precisely timed: the fraudster attempts a real PayPal login using the victim's credentials, which triggers a genuine OTP to be sent to the victim's phone. In the same moment, the victim receives either a spoofed call from 'PayPal security' or a text saying 'PayPal: Your 2FA code is being reset — to block this, reply with the code we just sent you'. The victim, believing they are preventing a takeover, reads back the very code that grants entry.
This attack pattern is especially effective because the OTP arrives from a genuine PayPal system message at exactly the moment the caller creates urgency. The timing makes the scenario feel convincingly real, and the victim believes they are thwarting the attack rather than enabling it.
How this scam works on the PayPal brand
PayPal's genuine 2FA process sends a one-time code to your phone when you (or anyone) attempts a login. The code is for you to enter on the PayPal login page — it is never something you should share with another person or system. PayPal's own message when sending an OTP includes a warning: 'Do not share this code with anyone.'
Real PayPal security communications never ask you to read an OTP back to an agent, via text reply, or through a third-party page. If PayPal detects a suspicious login, it may alert you and ask you to confirm or deny — but that confirmation happens on the PayPal platform, not through a code you share externally.
Some attackers conduct this over a real-time phone call, maintaining conversation while watching their browser to see when the OTP has been entered and the login succeeds. Others use automated SMS flows that ask the victim to reply with the code to 'block the takeover'. The reply goes to the attacker's system, which then enters the code into the live PayPal login session.
Common red flags
- A call or text claiming PayPal's 2FA is being reset and asking you to share the code you just received
- An OTP from PayPal arrives at exactly the moment you receive a warning call — the two events are linked
- Any instruction to read or reply with a security code from PayPal
- Caller claims to be from 'PayPal security' and is urgent about a code you just received
- Text asking you to 'reply STOP' or reply with a code to block an account change
- You did not initiate a PayPal login but received a 2FA code — someone already has your password
- Caller cannot confirm your PayPal account details without asking you for them first
How to protect yourself
- Never share a 2FA code with anyone under any circumstances — not even to 'block' a fraud
- If you receive an unexpected PayPal OTP, it means someone has your password — change it immediately
- Switch PayPal 2FA to an authenticator app (Google Authenticator, Authy) instead of SMS for stronger security
- Log in directly to paypal.com and review your recent login activity for unrecognised devices
- Enable PayPal's security key or hardware token option if you hold a large balance
- Use a unique email address and password for PayPal that you do not use elsewhere
- Report the suspicious call or text to PayPal before hanging up if possible
How to report it
- Forward suspicious texts to 7726 (SPAM) in the US and UK
- Report phishing to [email protected] — include as much detail as possible
- If your account was accessed, report through the PayPal Resolution Center or live chat
- File a complaint with the FTC at reportfraud.ftc.gov
- If money was lost, contact your bank or card issuer to dispute any charges made from the compromised account
Frequently asked questions
If I receive a PayPal OTP without requesting it, what should I do?
Treat it as a sign that someone has your PayPal password. Log in to PayPal directly at paypal.com, change your password immediately, and review recent login activity. Do not share the OTP with anyone.
Is an authenticator app safer than SMS for PayPal 2FA?
Yes. Authenticator apps generate codes that are time-limited and stored locally on your device, making them much harder to intercept via phone calls or SMS spoofing. PayPal supports authentication apps under Security Settings.
Can I block my PayPal account if I think it has been compromised?
You can change your password and security settings to effectively lock out anyone else. Contact PayPal through the live chat in the Resolution Center to report a compromised account and request a security review.